Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The HIPAA privacy rule generally requires individual healthcare providers, institutional providers such as hospitals, their workforce members and their contractors to use and disclose Protected Health Information (PHI) only as permitted or required by the HIPAA privacy rule. PHI is protected health information. PHI is any information linkable to a beneficiary that includes health information. This includes IIHI, which is individually identifiable health information.

The HIPAA privacy rule permits providers to use and disclose PHI without a patient’s written authorization for purposes of treatment, payment and healthcare operations. The rule also permits uses and disclosures of PHI without a patient’s authorization in various situations not involving treatment, payment and healthcare operations.

In the Military Health System (MHS), one of the most important exceptions to the authorization requirement is the military command exception. This permits limited disclosures of PHI about Active Duty Service Members (ADSMs) to their military commanders to determine fitness for duty or certain other purposes.

Providers must establish administrative, physical and technical safeguards. Actual or possible unauthorized use or disclosure of PHI (i.e., a breach) may require notifying affected individuals and reporting to DHA and other government entities.